Asymmetric algorithm for generating short serial numbers
Introduction
Worst of all, when for your program the generator of serial numbers is created. Hacked (reworked) versions of programs are used much less readily - there is a risk of catching a virus or losing data. But when it is possible to download a genuine program from the official site and independently generate a number, this is a disaster for the developer.
The only way I know to protect myself from SNG (Serial Number Generator) is to use an asymmetric digital signature algorithm. In this case, 2 keys are generated: open and closed. The program is sewn public key, it is used to check the serial numbers. Only the developer has a private key: it can be used to generate a serial number (in fact, the serial number is the signature of the user name and licensing information).
')
Finding the private key and making the SNG in this case is almost impossible. This protection is only cracked by creating a modified version of the program with the substitution of the public key. But this is not always an easy task.
Very often, developers use RSA as a digital signature algorithm for generating SNs. The obvious drawback: SN is quite long. Here is the signature with a key of 512 bits (practically, the minimum key length):
Obviously, such an SN can be rather problematic to enter from the label of a boxed product version or dictate by phone :)
What are the solutions?
One of the well-known digital signature algorithms with a short signature is HFE . Unfortunately, it is patented and its use costs money.
Now about the main thing
I want to offer you an alternative public / private key algorithm, which is ideal for generating short serial numbers. It is very simple, reliable and absolutely free. Attached to the article is a file with the implementation of the algorithm in C #.
The algorithm is very simple, but quite stable against SNG.
On the issue of authorship. I have not met the description of this algorithm; therefore, I still consider myself to be its pioneer (even if it is very simple). If someone proves the opposite, I will be grateful.
So, a few facts about this algorithm:
The data are given in the format: signature length; CPU time required for hacking:
4 bytes ~ 100 years
5 bytes ~ 35 thousand years
6 bytes 8 million years
As you can see, even a very short signature is very reliable. Although, the hacking time can be set within reasonable limits: the longer the hacking time you set, the longer the digital signature will be checked, the longer the public / private key will be generated. The table above shows the hacking time at which a digital signature is checked for 1 sec. (It is quite acceptable to check the SN when registering the program). During the signature, the constant INTRICACY, declared in the KuSigner class, is responsible.
The second important parameter is the key length. The longer the key, the less collisions, but the longer it is generated. The length should be equal to the number of advanced unscrupulous users of your program (who have the sense and impudence to unite in order to search for collisions).
The strength of the algorithm is based on the irreversibility of the hashing function. My implementation uses the MD4 algorithm (my own implementation in C #). Although there are collisions in this algorithm (MD4) and it is not suitable for many tasks, it is completely reliable for our task. Paranoids, of course, can replace it with SHA1.
To understand in detail how my algorithm works, it’s best to look at the source code. IMHO, it will be the easiest way.
Now a few simple examples of using my code:
1. Key generation:
2. Export key to xml:
3. Key recovery from xml:
4. Signature string:
5. Verify the signature line:
Now, for starters, I suggest you hack this algorithm (not for free!) .
I post the public key (with the same parameters as in the example above: length 5 bytes, durability 1000). The time of the signature is very small, a few milliseconds (INTRICACY = 256), in real projects it needs to be increased. I keep the private key.
Next, I give a few lines and their signatures with my private key:
1. String (hereinafter without quotes): "Hello world", signature: 945D50CCFD
2. Line: “test”, signature: 4C4CA4C336
3. Line: “test2”, signature: EF20C68781
You can verify these signatures using the public key, which is located in the archive attached to the article.
And now attention! Who can get the signature of the line "Vasya Pupkin", I will give 25 WMZ. Quite seriously. The amount, of course, is not big, but the main thing in this matter is not money ...
Please note that anyone can check the signature of the line “Vasya Pupkin” (there is a public key). But only I can impose a signature (if you prove the opposite, you will receive a prize and public recognition :)).
Waiting for your comments!
PS
The most important thing: a link to the archive with the implementation of the algorithm and the public key .
Worst of all, when for your program the generator of serial numbers is created. Hacked (reworked) versions of programs are used much less readily - there is a risk of catching a virus or losing data. But when it is possible to download a genuine program from the official site and independently generate a number, this is a disaster for the developer.
The only way I know to protect myself from SNG (Serial Number Generator) is to use an asymmetric digital signature algorithm. In this case, 2 keys are generated: open and closed. The program is sewn public key, it is used to check the serial numbers. Only the developer has a private key: it can be used to generate a serial number (in fact, the serial number is the signature of the user name and licensing information).
')
Finding the private key and making the SNG in this case is almost impossible. This protection is only cracked by creating a modified version of the program with the substitution of the public key. But this is not always an easy task.
Very often, developers use RSA as a digital signature algorithm for generating SNs. The obvious drawback: SN is quite long. Here is the signature with a key of 512 bits (practically, the minimum key length):
7095C60FC9ABE8968A1DDB8A9E36FCF0DBDDAC6ACE0B648E9ED72B6DC7E06880
ACF7DCC058A7433340B01E2409579210B8ACE2B3F663D2368ACEE815E3FF6E1B
Obviously, such an SN can be rather problematic to enter from the label of a boxed product version or dictate by phone :)
What are the solutions?
One of the well-known digital signature algorithms with a short signature is HFE . Unfortunately, it is patented and its use costs money.
Now about the main thing
I want to offer you an alternative public / private key algorithm, which is ideal for generating short serial numbers. It is very simple, reliable and absolutely free. Attached to the article is a file with the implementation of the algorithm in C #.
The algorithm is very simple, but quite stable against SNG.
On the issue of authorship. I have not met the description of this algorithm; therefore, I still consider myself to be its pioneer (even if it is very simple). If someone proves the opposite, I will be grateful.
So, a few facts about this algorithm:
The data are given in the format: signature length; CPU time required for hacking:
4 bytes ~ 100 years
5 bytes ~ 35 thousand years
6 bytes 8 million years
As you can see, even a very short signature is very reliable. Although, the hacking time can be set within reasonable limits: the longer the hacking time you set, the longer the digital signature will be checked, the longer the public / private key will be generated. The table above shows the hacking time at which a digital signature is checked for 1 sec. (It is quite acceptable to check the SN when registering the program). During the signature, the constant INTRICACY, declared in the KuSigner class, is responsible.
The second important parameter is the key length. The longer the key, the less collisions, but the longer it is generated. The length should be equal to the number of advanced unscrupulous users of your program (who have the sense and impudence to unite in order to search for collisions).
The strength of the algorithm is based on the irreversibility of the hashing function. My implementation uses the MD4 algorithm (my own implementation in C #). Although there are collisions in this algorithm (MD4) and it is not suitable for many tasks, it is completely reliable for our task. Paranoids, of course, can replace it with SHA1.
To understand in detail how my algorithm works, it’s best to look at the source code. IMHO, it will be the easiest way.
Now a few simple examples of using my code:
1. Key generation:
KuSigner kuSigner = new KuSigner(1000, 5); // ( :)), <br><br>kuSigner.GenerateKeys(); // : <br><br> * This source code was highlighted with Source Code Highlighter .2. Export key to xml:
string publicKey = kuSigner.ToXmlString( false ); // <br><br> string privateKey = kuSigner.ToXmlString( true ); // , <br><br> * This source code was highlighted with Source Code Highlighter .3. Key recovery from xml:
KuSigner publicSigner = new KuSigner(publicKey);<br>KuSigner privateSigner = new KuSigner(privateKey); <br><br> * This source code was highlighted with Source Code Highlighter .4. Signature string:
byte [] signatureBytes = privateSigner.Sign( Encoding .UTF8.GetBytes( " " ));<br><br> // , ( ) <br> string signatureString = BitConverter.ToString(signatureBytes).Replace( "-" , string .Empty); <br><br> * This source code was highlighted with Source Code Highlighter .5. Verify the signature line:
bool isValid = privateSigner.VerifySignature( Encoding .UTF8.GetBytes( " " ), signatureBytes); <br><br> * This source code was highlighted with Source Code Highlighter .Now, for starters, I suggest you hack this algorithm (not for free!) .
I post the public key (with the same parameters as in the example above: length 5 bytes, durability 1000). The time of the signature is very small, a few milliseconds (INTRICACY = 256), in real projects it needs to be increased. I keep the private key.
Next, I give a few lines and their signatures with my private key:
1. String (hereinafter without quotes): "Hello world", signature: 945D50CCFD
2. Line: “test”, signature: 4C4CA4C336
3. Line: “test2”, signature: EF20C68781
You can verify these signatures using the public key, which is located in the archive attached to the article.
And now attention! Who can get the signature of the line "Vasya Pupkin", I will give 25 WMZ. Quite seriously. The amount, of course, is not big, but the main thing in this matter is not money ...
Please note that anyone can check the signature of the line “Vasya Pupkin” (there is a public key). But only I can impose a signature (if you prove the opposite, you will receive a prize and public recognition :)).
Waiting for your comments!
PS
The most important thing: a link to the archive with the implementation of the algorithm and the public key .
Source: https://habr.com/ru/post/69623/
All Articles